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Abstract — Consumption of online services and cloud computing 
offerings is on the rise, largely due to compelling advantages 
over traditional local applications. From a user perspective, 
these include zero-maintenance of software, the always-on nature 
of such services, mashups of different applications and the 
networking effect with other users. Associated disadvantages are 
known, but effective means and tools to limit their effect are 
not yet well-established and not yet generally available to service 
users. We propose (1) a user-centric model of cloud elements 
beyond the conventional <SPI>aaS layers, including activities 
across trust zones, and (2) a personal control console for all 
individual and collaborative user activities in the cloud. 

I. Introduction 

The Internet, originally thought to be a set of peer-to- 
peer connections between its users, has turned into a set 
of unequal participants. On the lower level of wires and 
wireless connections, the concentration of traffic in backbones 
and routers has valid technical reasons. On the higher level 
of Internet applications, any significant concentration is a 
symptom of portals, marketplaces, walled gardens, and the 
general asymmetric differentiation between producers and 
consumers of information. This decreases the collaborative 
potential of sharing applications, services, data and resources. 
The increasing dependency of users on service and cloud 
computing providers and their reduced leeway is often met 
with skepticism, although the number and impact of counter- 
measures remains low. Users still lack overview and control 
mechanisms for their digital trust domain, typically consisting 
of devices and resources under their control. This issue is 
likely to become worse as the mandatory use of government- 
provided online services for citizens is on the rise. Without 
appropriate information and control facilities, the users' infor- 
mational self-determination will be severely decreased. There- 
fore, we propose 7r-Control, an abstract personal control centre 
for all user activities in the cloud. Its architecture is based on 
a model of typical cloud elements and workflows. The power 
of the control centre approach encompasses summaries of 
current and historic activities as well as context-aware service 
provisioning, migration and replication tools. 

The remainder of this document introduces the model of 
cloud elements and activities, the design criteria of 7r-Control 
derived from identified problems which can be represented in 
the model, and a proposal for a software architecture to realise 
TT-Control as installable software or dedicated appliance. 



II. User-Centric Cloud Elements 

The digital world consists of a variety of objects accessible 
as services and interpretable in various ways, e.g. usage, 
modification operations and execution. A common view of 
the elements of a cloud computing architecture is given in 
Fig. [T] Software services are managed by platform services, 
with both parts being executed on infrastructure also offered 
as a service. The view has been defined as the <SPI>aaS cloud 
model 111. 
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Fig. 1. Conventional administrative interpretation of cloud layers 

This administrator-centric layering of cloud elements is less 
suitable for the consideration of user-centric access to the 
cloud. The central reason for the discrepancy is that users are 
typically not interested in explicit invocation of the platform 
layer which rather serves as transparent middleware, offering 
functions such as login, deployment, search and monitoring 
reports. The platform is also inherently more static than trade- 
able software and infrastructure services which are contracted 
by users explicitly based on their non-functional properties 
such as price or legal status. Therefore, we propose a different 
interpretation, taking into account a wider service definition 
from recent research objectives such as data clouds |j2l and 
the reduction of risks associated with cloud computing ||3]. 

For simplicity, we start with a definition of O := 
{S*, D, i?, ...} in which the globally accessible service-oriented 
offering of objects O consists of (executable) software S, 
(non-executable) data D and resources R. The set of service 
domains of high interest to the user is kept open on purpose to 
allow for future additions. There is a runtime dependency of 
software on computing resources and almost always on data, 
as well as a permanent dependency of both software and data 
on resources for storage. The cloud computing terms SaaS, 
DaaS and RaaS add service interfaces to software, data stores 



and resources, respectively. Hence, O represents digital objects 
in a service-oriented manner 

This user-centric service definition for cloud computing 
scenarios is shown in Fig. [2] We believe that it is not con- 
tradicting previously consolidated comprehensive cloud model 
definitions 
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Fig. 2. Service classes in the cloud from a user perspective: Boundaries, 
cliaracteristics and dependencies 

The exclusion of the PaaS -level service platform, possibly 
still consisting of loosely-coupled and uniform platform ser- 
vices, from services of interest to the user puts the platform 
into a more hidden, yet central and ubiquitous position. It 
allows for a transparent distribution of the platform, e.g. by 
connecting several devices, and a transparent aggregation of 
various concrete platforms into a logical one. Furthermore, it 
assumes from the beginning that at least one instance of the 
platform services be under the user's control. 

The proposed <SDR>aaS cloud service definition also con- 
veys the von Neumann model for computers better than the 
conventional <SPI>aaS model. The separate treatment of soft- 
ware and data services, both in combination with supportive 
resource services and complementary human services, will 
lead to flexible views on distributed workflows and scale-out 
scenarios for software applications. 

III. User-Centric Cloud Activities 

User activities in distributed cloud computing scenarios usu- 
ally evolve around personal usage (e.g. device synchronisation, 
backup) and collaborative service use on community-level 
restricted or public open directories and marketplaces (e.g. 
meeting time planner). This introduces the implicit and sub- 
jective notion of trust zones with most users leaning towards 
entrusting all data to resources on devices under their control, 
most data to resources under control of recognised friends 
or colleagues, some data to resources of identified companies 
and operators, and only uncritical data to completely unknown 
resources. 

Directories and marketplaces for digital objects can usually 
be categorised along the same definition of <SDR>aaS by 
having M{R), M{S) and M{D) as logicafly separate (albeit 
possibly physically combined) brokers for each kind of ser- 
vice. Digital objects can be replicated into personal domains 
Mto(O) in the user's trust zone and under the user's control. 



Objects can also be replicated from there to other domains 
including community directories Mti{0) or again public free, 
commercial and governmental marketplaces MTy=2{0). The 
trust level definition is a subjective metric whose only purpose 
is to define a total order of preference for migration and 
replication strategies. Resources cannot be replicated. They 
can either be migrated physically, or access to them can be 
migrated (wholly or partially, as in sharing) as virtual digital 
objects. 

IV. Potential Problem Identification 

Under the assumptions of the model of cloud elements and 
activities presented in the previous two sections, three major 
potential problems can be identified which, in their essence, 
also apply to other cloud computing models. Design criteria 
for a personal cloud control architecture should be set in a 
way that they prevent them from turning into actual problems 
and threats to the user. 

Users lack information. Without appropriate real-time and 
historic information about relations to service providers and 
access to data, users will not be able to make the right 
decisions. For any amount of O, users should be able to 
keep an overview about elements and activities in M{0) 
irrespective of the trust domain. The completeness of the 
overview should be total for T = and may become less 
for larger T. 

Users lack control. Users should also be informed about 
the context-dependent characteristics of Mt>o(0) so they can 
start replicating, migrating, providing and sharing their objects 
accordingly. Without powerful control tools, the user might be 
locked into certain cloud environments while high costs are 
associated with any attempt at reversing this situation |5|. 

Users lack autarky. Just like users' private data should be 
under their control, there should be mechanisms to replicate 
public data sets and appropriately licenced public services into 
the local domain. Hence, a transformation of T > to T = 
is required. This especially appUes to data on the platform 
level, such as the contents of a service registry, so that a non- 
trivial amount of cloud control tasks can be initiated even when 
being temporarily offline. Solving this problem also means 
giving users the tools to provide services by themselves, if 
needed. 

V. Existing Approaches 

While the problems extracted in the previous section have 
already been known to some extent and for some time, existing 
approaches to solve them do not focus on their combination. 

Private Virtual Infrastructures, representing a new cloud 
management model ||6|, shift security and privacy risks mid- 
way back to the provider and thereby reduce efforts required 
by the user However, they assume changes to today's laaS 
and do not consider the <PS>aaS layers and hence the in- 
teractive involvement of the user, turning them more into a 
complementary base technology. Nevertheless, their embodied 
secure migration processes could serve as a realisation of the 
corresponding cloud activities. 



Personal software and data distribution systems, which are 
increasingly integrated into operating system desktops, provide 
sophisticated repository and peer-to-peer sharing, versioning, 
and dependency control. An example is the advanced De- 
bian package solver |7|. However, these systems currently 
lack integration with resource control and user management 
systems. Another approach is to control the user's activity 
mobility in certain collaborative contexts fSl. It is targeting 
interactive sessions in distributed operating systems rather than 
heterogeneous cloud computing environments. 

The definition of trust in cloud environments is a fairly 
new research topic |9|. Therefore, our work omits further 
formalisation of this aspect and relies on a hierarchical scalar 
trust metric. 

VI. Proposed Software Architecture 

Built upon the user-centric model of cloud elements and 
activities, and influenced by the goal to overcome weaknesses 
of related approaches to solve the identified potential prob- 
lems, we suggest an abstract cloud control architecture. It is 
supposed to be used as a blueprint for an interactive realisation 
for exerting control of the personal service provisioning and 
consumption activities in public and community cloud com- 
puting environments. 

The proposed personal cloud control functionality, named 
TT -Control, imports public lists of objects available on market- 
places Afy>o(0) by their respective category of S, D and 
R. Matching private directories of objects available to the 
user Mto(O) are managed similarly. Users can search in all 
directories and extend them by advertising their own objects, 
via conventional link-only registration or export of the object 
itself. The environment surrounding vr-Control is shown in 
figure [3] 
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Fig. 3. TT-Control environment 

Users shall have the possibility of not just migrating and 
replicating the objects between trust zones, but also using them 
in various ways. This includes the deployment of software and 
storage of data onto resources. Furthermore, users should be 
able to manage their data, including tagging and access control 
to influence data placement and external use strategies. Given 
that TT-Control interacts with a PaaS in the user's trust domain, 
service contracting through SLAs and non-guaranteed property 
descriptions will direct and constrain the usage options. In 
addition, a local PaaS can be used to empower the user to 
provide services without relying on untrusted infrastructure. 
The resulting abstract architecture is shown in Fig. |4] 
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Fig. 4. 7r-Control arcliitecture 



Service directories are based upon public marketplace in- 
terfaces, community registries, local network auto-discovery 
services, and strictly local information depending on the device 
on which tt -Control runs. 

For each new directory and service provider, a trust level 
can be assigned, with trust inheritance from directories to 
providers and from providers to services unless overridden 
by the user Directories of directories can similarly be added 
to find out about new markets which, in turn, inherit the 
directories' trust levels. In parallel to the user-defined trust, 
author-defined licencing rules govern the general use of data 
and software services. For example, replicas (or partial caches) 
of public open data sets from governments or researchers will 
generally be made available to anybody with login permission 
to the TT -Control-governed devices. 

Two kinds of context will influence the control centre be- 
haviour: contracts with service providers, and their availability. 

Several activities are contract-context-dependent. For exam- 
ple, backup of data will need at least one storage service 
contract. With at least two such contracts, backups can be 
split and redundantly dispersed with secret-sharing algorithms, 
lowering the dependency on individual providers. Likewise, 
outsourcing services through remote deployment requires a 
contract with a compute service. 

Other activities are availability-context-dependent. For ex- 
ample, a nearby storage server might not always be switched 
on or not available when roaming. Similarly, a contract-bound 
data provider might not be reachable. Data replication and 
synchronisation techniques working on platform-level data like 
registry information and on DaaS-level data minimise the 
impact of limited availability. 

In order to achieve higher autarky and more precise in- 
formation, we propose to rely on distributed version control 
systems. These systems combine the advantages of peer-to- 
peer systems, including even offline operation, with reliable 
history information and roll-back capabilities. 

All services need to be sufficiently described. Notable 
attributes include identification, function, provider informa- 
tion, pricing, further non-functional properties and technical 
requirements. New developments in service descriptions such 



as the Unified Service Description Language (USDL) promise 
to solve this task. However, USDL has only been evaluated for 
SaaS and Human-as-a-Service (HaaS) so far, not yet for RaaS 
and DaaS. The level of automation which can be achieved 
for service placement and data replication strategies is closely 
tied to the expressivity, accuracy and general quality of the 
property specifications. 

User privileges, access permissions, roles and identities have 
historically been implemented within the applications. As the 
trend towards SaaS continues, these concerns are increasingly 
confined to an appropriate service structure. However, many 
cloud providers run their own user management infrastructure. 
As a requirement especially for collaborative scenarios, such 
as smart office applications delivered from the cloud for 
dynamically composed groups of users, vr-Control shall treat 
user privileges as a dedicated data set which is subject to the 
same replication mechanisms as regular sets. This way, con- 
figurations of access control to multi-tenant services can easily 
be propagated to various cloud providers. The access control 
rules are applied in conjunction with the object licencing 
metadata. An existing use case covered by this combination 
is the collaborative work on public open data which is tagged 
as such fTOl. 

To summarise the architectural concept; Based on rich and 
high-quality declarative service descriptions and integration 
with local PaaS-level service provisioning infrastructures, the 
control centre offers synchronised, context-dependent and 
service-kind-dependent overview and control functionality for 
individual and collaborative cloud computing usage scenarios. 

VII. User Interface Considerations 

Considering that the target groups of 7r-Control are con- 
sumers and producers in the cloud, as opposed to experienced 
operators, the user interface should be clean, intuitive and free 
of unexpected surprises. We believe that there is room for new 
interaction patterns, such as drag-and-drop for service and data 
migration between clouds, hiding the migration details and 
underlying protocols. 

A sketch for one possible variant of the user interface is 
given in Fig. [5] It clearly differentiates between offers from 
directories in various trust domains and objects under the 
control of the user, including their instances and context- 
dependent actions. 

VIII. Summary and Outlook 

We have discussed the need for personal cloud control 
centres and introduced a suitable architecture based on a 
custom model of cloud elements and activities. Within the 
next months, we will work on an implementation within 
the context of the FlexClouc{^ project. Special attention will 
be paid to the consideration of non-functional properties for 
service placement and data replication strategies. Moreover, 
we plan to build an apphance consisting of hardware resources. 



'FlexCloud: http://flexcloud.eu/ This work has received from the European 
Social Fund and the Free State of Saxony, Germany, under project number 
080949277. 
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Fig. 5. TT-Control user interface mockup 



a preconfigured service platform installation and 7r-Control 
running on top of it. 
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